Issue #14246 has been updated by Daniel Sauble. Status changed from Needs Decision to Accepted Assignee changed from Daniel Sauble to Daniel Pittman
This seems relatively straightforward to me. If allow_duplicate_certs = true, it should be possible for a node to overwrite an existing signed cert, given the same certname. In Sites, I'd like to discourage this behavior by requiring a --force flag. <pre> node02$ puppet node join site02.domain.com < site.key Added node02.domain.com to the site at site02.domain.com node02$ puppet node join site02.domain.com < site.key Error: node02.domain.com is already part of the site at site02.domain.com Use `puppet node join site02.domain.com --force` to force the operation node02$ puppet node join site02.domain.com --force < site.key Added node02.domain.com to the site at site02.domain.com </pre> Of course, if allow_duplicate_certs = false, --force has no effect. ---------------------------------------- Bug #14246: allow duplicate certs does not work with agent/master https://projects.puppetlabs.com/issues/14246#change-61987 Author: Dan Bode Status: Accepted Priority: Normal Assignee: Daniel Pittman Category: sites Target version: Affected Puppet version: Keywords: Branch: On my master, I set: [main] allow_deplicate_certs = true on the master, I regenerate a private key, I get the failure: <pre> root@cygnet-2:~# puppet agent -t --ssldir=/tmp/ info: Creating a new SSL key for cygnet-2.cygnet.lab warning: peer certificate won't be verified in this SSL session info: Caching certificate for ca warning: peer certificate won't be verified in this SSL session info: Caching certificate for cygnet-2.cygnet.lab err: Could not request certificate: The certificate retrieved from the master does not match the agent's private key. Certificate fingerprint: B5:FE:4C:B6:D8:75:2C:8D:FD:05:48:53:43:DC:B4:10 To fix this, remove the certificate from both the master and the agent and then start a puppet run, which will automatically regenerate a certficate. On the master: puppet cert clean cygnet-2.cygnet.lab On the agent: rm -f /tmp/certs/cygnet-2.cygnet.lab.pem puppet agent -t </pre> It appears that the agent does not actually resend its cert req if one already exists, meaning that allow duplicate certs does not work with puppet agent. This issue was observed with Puppet 2.7.12, but I do not believe it is a regression. -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-bugs?hl=en.
